Getting "Network request failed" on iOS app when app is in background

[Nehal-Zeller]

Checklist

• [] The issue can be reproduced in the react-native-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I had put the application in background and lets say token also expires at the same time and triggers a refresh call, I get "Network request failed" error in the catch block of auth0.auth.refreshToken but on auth0 dashboard it's logged as successful exchange.
When I launch the app again and since app didn't get the new token, it attempts to refresh the token again and this time I get "reuse of token detected" error.

This is difficult to reproduce locally but I was able to get this information from sentry and auth0 dashboard.
I've attached the screenshot from sentry and auth0 dashboard, logs can be verified from the same timestamps

Important thing to note here is: this happens only when app is in background. In foreground, everything works as expected.

I would really appreciate some help here.

Reproduction

I've no way to reproduce this easily as it happens when app is in background and some background task is triggered when token is already expired.

Issue is faced by number of users but there's no fixed pattern on reproducing it. From the sentry logs, I was able to identify above pattern.

Additional context

No response

react-native-auth0 version

3.2.1

React Native version

0.73.6

Expo version

No response

Platform

iOS

Platform version(s)

on all versions

[hiiiP0wer]

Hi there

From the description, it seems the problem is linked to Refresh Token Rotation. This feature is designed to prevent replay attacks, but in certain conditions, it can lead to unintended behavior, especially when dealing with background tasks or network interruptions.

When Refresh Token Rotation is enabled, every refresh token can only be used once. A new refresh token/access token pair is issued each time a valid refresh token is used. If the same refresh token is reused (either intentionally or due to a network issue), Auth0 triggers reuse detection and invalidates the token family ( all refresh tokens descending from the original refresh token issued for the client). This ensures security but can cause issues like the one you’re facing. The docs have a more detailed explaination.

To confirm that this is the issue, Check the Auth0 logs for events like ferrt (failed token exchange due to reuse detection). This can help confirm if the issue stems from refresh token reuse.

Here could be the issue you are facing ( many other things could cause it ).

1. The app attempts to refresh the token while in the background.
2. Network Request Fails: Due to the app being in the background or slow network, the network request fails and the new credentials aren't saved.
3. Reuse Detected: When the app comes to the foreground, it retries with the same (now invalidated) refresh token, triggering the "reuse of token detected" error.

Other Potential Causes

• Concurrency or Network Delays: If you’re using CredentialsManager, it might retry refreshing the token automatically. If the original request succeeds on Auth0’s side but fails locally (e.g., due to the app being in the background), subsequent retries will trigger reuse detection.

Recommended Solutions

1. Enable Rotation Overlap Period
   Auth0 provides a Rotation Overlap Period to prevent issues caused by slight delays between requests or Concurrency. During this period, the breach detection features are disabled, allowing for safe token exchanges.

To configure this:

1. Go to your Auth0 dashboard.
2. Navigate to the Application Settings for your app.
3. Set a reasonable overlap period (e.g., 60 seconds).

2. Increase Fetch Timeout
   If you’re using your own Auth0 instance instead of the default hook, you can extend the timeout for token refresh requests. This allows more time for the network request to complete before failing due to timeout.
   Example:

new Auth0({ domain, clientId, timeout: 20_000 });

3. Disable Refresh Token Rotation
   Since this is a mobile app, you can consider disabling Refresh Token Rotation since tokens are stored securely (e.g., in the device’s Keychain or equivalent). This avoids the complications of rotating refresh tokens altogether.
   You can disable this in the Application Settings under the Advanced Settings. check link.